Most of the major web browsers have either already disabled third-party cookies by default (Safari and Firefox), or plan to do so in the future (Google). Privacy advocates hope that these moves will usher in a new era of safer web browsing.
But there is a category of web browsers with much weaker protections, where cookies aren’t even required in order to track users across the web: the in-app browser. These browsers have managed to stay out of the mainstream privacy conversation until recent stories involving Meta and TikTok threw them, and their lax privacy standards, into the spotlight.
The Basics
Many mobile apps will include links to content hosted on the world wide web. Social platforms will show user-posted links to external content, news apps will include links to original sources for stories, and apps with sponsored links will lead users to external vendors’ websites to browse and buy products.
Since this content must be accessed by a web browser, many apps will prompt users to open those links in a third-party browser (the familiar popup where your phone asks you which of your browsers (or other apps) you want to use to open a link).
But some app developers have built their own web browsers which launch within their own apps. When a user clicks a link, they’ll be led straight to the relevant page on that in-app browser. But they can then keep browsing the web, clicking on further links, taking them away from the original content.
Because the user hasn’t left the original app, it’s possible for the owner of that app to track their web activity – not only the original page they land on when they open up the in-app browser, but any further activity too. And this tracking may be much more invasive than standard cookie-based tracking, with the app even able to tell what users have clicked on, and what they’ve typed into forms – which could include sensitive information like passwords and credit card details.
The Technical Detail
The security risk of in-app browsers first came to mainstream attention after a report from Felix Krause, founder of Fastlane, a tool to help developers build mobile apps.
Krause highlighted that when external websites are rendered on an in-app browser, the app owner is able to inject JavaScript code into every website which is shown on that browser.
Injecting JavaScript code onto a web page isn’t a malicious technique in and of itself. Any web user, if they know how, can inject JavaScript code onto websites they visit and make changes to web pages – those changes will only affect that session on that device.
But apps, since they control the in-app browser, can inject JavaScript into third-party web pages without either the user nor the web page’s consent. And this code may be malicious, though it isn’t necessarily.
Krause looked specifically at Instagram and TikTok’s in-app browsers, and found that both apps inject JavaScript code which allows them to modify the webpage giving them the ability to track users if they wanted to. In Instagram’s case, it looked as though no tracking code had actually been injected. But in TikTok’s case, Krause found code which is able to track every keystroke a user inputs (meaning it can collect any passwords or bank details which are typed out in the browser), as well as any taps on buttons, links, or images.
The fact that this code exists doesn’t mean that TikTok is saving that data or using it for malicious purposes (and TikTok maintains that the code is “solely used for debugging, troubleshooting, and performance monitoring”). But Krause says it’s impossible to know for sure how that data is used, meaning users have to take TikTok’s word for it that the company isn’t tracking their in-app browsing.
It’s important to note that not all in-app browsers are the same, or present the same security risks.
Many apps will use tools provided by the mobile operating systems themselves, which don’t have the same security risks. Apple for example encourages developers to use ‘SFSafariViewController’, a standardised way of presenting web pages within an app which prevents tracking.
And even if an app runs their own customer browser, they don’t necessarily inject code. Krause listed Snapchat and Robinhood as two popular apps with in-app browsers which don’t appear to inject JavaScript.
The Pros and Cons
In-app browsers do have benefits for consumers.
They can allow faster loading times (though they don’t always), since a separate web browser app doesn’t have to be opened up. They can also make for a more streamlined user experience, keeping the user within one window without the need to jump back and forth between the original app and their web browser.
And while TikTok and Instagram are hardly struggling for attention, smaller apps would argue that in-app browsers allow them to link to external content without totally losing their users. In-app browsers are much more limited than standard browsers – for example, they don’t typically have an address bar, making web browsing much clunkier. This means users are more likely to click on a link, view the external content, and then return to their original app, rather than continuing browsing other third-party content.
The closed systems enabled by in-app browsers also have benefits for advertisers. While restrictions on mobile advertising IDs (MAIDs) have made measurement and attribution much more difficult, mobile web browsers help circumvent these issues. Whenever a Facebook user clicks on an ad and then views the content on the in-app browser, Facebook can track the click and see when a purchase or download is completed.
But the cons are, as described above, the privacy concerns.
Most apps give users a choice of whether to open links in-app, or via an external browser, but that’s not always the case. TikTok notably doesn’t give users a choice, using the in-app browser by default.
And while it’s sometimes possible to tell whether an in-app browser might be tracking user activity, that’s not always the case. Felix Krause notes that Apple has introduced a new way for apps to run JavaScript called ‘Isolated World’, which has practical uses, but also makes it impossible to tell what JavaScript code the app might be running on in-app web pages.
